Configuring aaa authentication methods for, An isp domain – H3C Technologies H3C SecPath F1000-E User Manual
Page 220
210
Step Command
Remarks
6.
Enable the self-service server
location function and specify
the URL of the self-service
server.
self-service-url enable url-string
Optional.
Disabled by default.
7.
Define an IP address pool for
allocating addresses to PPP
users.
ip pool pool-number
low-ip-address
[ high-ip-address ]
Optional.
By default, no IP address pool is
configured for PPP users.
8.
Specify the default
authorization user profile.
authorization-attribute
user-profile profile-name
Optional.
By default, an ISP domain has no
default authorization user profile.
NOTE:
•
If a user passes authentication but is authorized with no user profile, the firewall authorizes the default
user profile of the ISP domain to the user and restricts the user's behavior based on the profile.
•
A self-service RADIUS server, such as Comprehensive Access Management System (CAMS) or
Intelligent Management Center (IMC), is required for the self-service server location function to work.
Configuring AAA authentication methods for an ISP domain
In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to
the interactive authentication process of username/password/user information during an access or
service request. The authentication process neither sends authorization information to a supplicant nor
triggers any accounting.
AAA supports the following authentication methods:
•
No authentication (none)—All users are trusted and no authentication is performed. Generally, do
not use this method.
•
Local authentication (local)—Authentication is performed by the NAS, which is configured with the
user information, including the usernames, passwords, and attributes. Local authentication allows
high speed and low cost, but the amount of information that can be stored is limited by the
hardware.
•
Remote authentication (scheme)—The access device cooperates with a RADIUS or HWTACACS
server to authenticate users. Remote authentication provides centralized information management,
high capacity, high reliability, and support for centralized authentication service for multiple access
devices. You can configure local or no authentication as the backup method, which is used when
the remote server is not available. No authentication can only be configured for LAN users as the
backup method of remote authentication.
You can configure AAA authentication to work alone without authorization and accounting. By default,
an ISP domain uses the local authentication method.
Before configuring authentication methods, complete the following tasks:
•
For RADIUS or HWTACACS authentication, configure the RADIUS, or HWTACACS scheme to be
referenced first. The local and none authentication methods do not require a scheme.
•
Determine the access type or service type to be configured. With AAA, you can configure an
authentication method for each access type and service type, limiting the authentication protocols
that can be used for access.